formbook | 6832b376821170cd1a109fec9ad84f2b32adaed7f592edfd1c02a4b0f708b8d6 | Triage

Submit
Reports

Overview

overview

Static

static

1

wise_depos...en.cmd

windows7-x64

wise_depos...en.cmd

windows10-2004-x64

Sharing

General

Target

25062024_1713_25062024_wise_deposit_note__1114218690__3287491072__eml.ZIP
Size

661KB
Sample

240625-vrexbasejh
MD5

8fcb77d198630126aaa72357b12affd2
SHA1

9eaf7411c920ac700bb6215b64f0385a2c9365c7
SHA256

6832b376821170cd1a109fec9ad84f2b32adaed7f592edfd1c02a4b0f708b8d6
SHA512

df2e66c9e2f42c76fa10e43aedef6922d3118e1db083864d348e4f0ec6467f441c27d80123078795f0f03c07f5db5f89bd43dd0ae7037f1c4502fa69481f6218
SSDEEP

12288:aBuVk4h/wydZLfYUI2Lof7luz+OhmVKbmYQPScKY4sgosML+SfkXX:w6/tDLQn2UfJvOJ6YQPStrXX

Score

10^/10

formbook ca63 persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

wise_deposit_note__1114218690__3287491072__en.cmd

Resource

win7-20240508-en

formbook ca63 persistence rat spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

wise_deposit_note__1114218690__3287491072__en.cmd

Resource

win10v2004-20240226-en

formbook ca63 persistence rat spyware stealer trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ca63

Decoy

themaxrichth.online

lhzshb.com

isacarrceramics.online

duhochanquoc.website

apexmedia.pro

33311.pro

x2mjbu8gg.shop

dashcreative.online

nifle.shop

hora.lol

rclrwa.asia

aviation-training-sqj.top

a9659a62.vip

uspgh.work

hhol5.top

jinkaida-cn.cn

watchwedding.com

728ym.lat

gillieron.swiss

bingsne.online

professionaljournalism.com

senior-living-15150.bond

chatsio.com

dr-jordan.site

sador.xyz

nagaways.online

552357.pro

domainupdate.site

3v5u21668.shop

dh76044.vip

cineflickapp.online

ht31a.vip

workingcat.online

9h6db.shop

evallc.net

sun20win.digital

683ym.lat

retrosystem.fun

bgkamil.xyz

androidmobiledk.today

gsptx.online

onlineit.sbs

violetnuit.shop

kyusgwh2.top

vdqgj.asia

helpmepeas.net

4399game.asia

tent-homes-10133.bond

moki.dev

raildriver.net

lkjuy.xyz

presentdadsmatter.shop

amp-kopi77i2.xyz

cyber-security-onli.bond

rtpcmbet27.xyz

80lrlaenant8.life

urostatingr.shop

xn--fiq73f39fx0y2hq.work

zc041.xyz

34-health.shop

yunhaicm.asia

domain-2.buzz

money1lifecoachingservice.net

5301ulovp.website

siasstudios.com

Targets

- Target
  
  wise_deposit_note__1114218690__3287491072__en.cmd
- Size
  
  2.4MB
- MD5
  
  42323f7609e2e5c56add77d01e27432f
- SHA1
  
  e5262c46781a8c58aaee00a529ed7597dbb2b698
- SHA256
  
  4cb31951ae2b4f8b86b532c25762252f28525f55061d8d09a356a9c8f12029b2
- SHA512
  
  0814feee3013a4409c3171f30dc9d9d4ffe5626e6ba28a257163fa8f26380751fbd5ba7077e47e9bcd59d8b852b50822fb3383c9a6366b8619db7627d9ded44d
- SSDEEP
  
  24576:IPHN8ur54cKt8AdV30Z3ZRYwVxrhWHmmV/MBm54hRCKxBJxsv:IPHSur5M8Ar30JnrQLMEBv
Score

10^/10

formbook ca63 persistence rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

formbookca63persistenceratspywarestealertrojan

behavioral2

formbookca63persistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy